Week 16 in Review – 2012

Week 16 in Review – 2012

Event Related

Hackito Ergo Sum 2012

TALKS // Hackito Ergo Sum 2012 – 2012.hackitoergosum.org
In this presentation we will cover critical aspects of web applications, and how these techniques can be used on real life scenario on big (and highly “secured”) websites. These bugs and methods will be able to assist you in your next bug-hunting in your pentest or (god-forbid) bounty program.
We will reveal several vulnerabilities found on real big scale and important websites.

Hackito Ergo Sum 2012 – breakingcode.wordpress.com
The event took place at the headquarters of the French Communist Party, and I have to say the conference room was quite impressive. It was an underground dome all covered with white metallic plates and lamps behind, giving a peculiar visual effect.

VLAN Network Segmentation and Security- Chapter 5 – resources.infosecinstitute.com
In this chapter, we step through a description of VLAN technology, how to secure it (including basic switch security), and how to control packets to increase the overall strength of attack surface defense. I use the term packet instead of frame to refer to transmission entities at both the network and the data link layers.

Penetration Testing for iPhone Applications- Part 2 – resources.infosecinstitute.com
Every iPhone has an associated unique device Identifier derived from a set of hardware attributes called UDID. UDID is burned into the device and one cannot remove or change it. However, it can be spoofed with the help of tools like UDID Faker.

From LOW to PWNED [0] Intro – carnal0wnage.attackresearch.com
I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.

Analysis of the Eleonore exploit pack shellcode – blogs.technet.com
‘​Eleonore’ is a malware package that contains a collection of exploits used to compromise web pages. When the compromised web pages are viewed via vulnerable systems, the exploit payload is run.

Tools

InteractiveSieve – blog.didierstevens.com
Interactive Sieve is a program I developed to help you analyze log files and other data in tabular form. It’s designed to help you when you don’t know exactly what you’re looking for. You sift through the data by hiding or coloring events (or data) that are not relevant.

DOE Lab Releases Open-Source Attack Intelligence Tool – darkreading.com
The U.S. Department of Energy’s Pacific Northwest National Laboratory (PNNL) is offering an open-source version of a homegrown tool that gathers an additional layer of intelligence during an attack.

SQL Server 2012 Best Practices Analyzer – blogs.msdn.com
I’m pleased to announce that SQL Server 2012 Best Practices Analyzer (BPA) has been released and is available for download at http://www.microsoft.com/download/en/details.aspx?id=29302.

Techniques

Hack Tips: Good for Enterprise Exploitation – blog.opensecurityresearch.com
Good for Enterprise™ is a suite of powerful mobile device management tools that bring military-grade security, end-to-end data loss prevention, and collaboration features to today’s most popular smartphones and tablets — without compromising IT security and control.

XSS Shortening Cheatsheet – labs.neohapsis.com
In the course of a recent assessment of a web application, I ran into an interesting problem. I found XSS on a page, but the field was limited (yes, on the server side) to 20 characters.

Extracting AES keys from iPhone – securitylearn.wordpress.com
The iPhone application processor comes with two built-in encryption keys – UID, GID. OS running on the device cannot read the hardcoded keys but it can use the keys to generate other encryption keys used for data protection, media encryption and keychain encryption. The hardcoded keys can only be used from bootloader and kernel mode.

15-year-old arrested for hacking 259 companies – zdnet.com
A 15-year-old boy has been arrested for hacking into 259 companies during a 90-day spree. In other words, during the last quarter he successfully attacked an average of three websites per day.

3 million bank accounts hacked in Iran – zdnet.com
First, he warned of the security flaw in Iran’s banking system. Then he provided them with 1,000 bank account details. When they didn’t listen, he hacked 3 million accounts across at least 22 banks.

Leave A Comment

About Us

Infosec Events is dedicated to the growing information security industry. We strive to provide useful information and resources to those in the industry. Don't hesitate to contact us should you need anything.